No Portscan Traffic

BASE-user
JLO
2004-12-29
2013-06-03
  • JLO
    JLO
    2004-12-29

    I added snortdb-extra.gz into my Snort database AFTER I created my base_conf.php when I realized BASE wasn't showing any "Portscan traffic".  I recieve spp_portscan alerts in /var/log/snort/alerts but not in BASE.  What do I need to do?

     
    • Kevin Johnson
      Kevin Johnson
      2005-01-04

      Are your alerts being logged to the database also?  BASE will not read from files currently.

      Kevin

       
    • papiva
      papiva
      2005-01-07

      I have a variation of this same question. I am getting SPP_Portscans but they are showing up under TCP. With  ACID, they were showing up under Portscans.

      I previously applied the snortdb-extra.gz tables in Mysql.  I am logging to Mysql the Mysql database too. I updated Snort 2.2.0 and am using Base 1.0

       
    • Walter Brock
      Walter Brock
      2005-01-18

      If you are using the older portscan detector under snort than newer versions of base will ignore the portscan alerts.

      I have patched my version of base 1.0.1 using some bits of code from 0.9.7 to get spp_portscans working correctly again.

      If anyone wants I could post a patch file to accomplish this, but the better answer would be to use the new portscan detector in snort.

      Wally

       
      • Kevin Johnson
        Kevin Johnson
        2005-01-19

        Hi-

        We are looking at seeing if we can detect the version of snort running and display either one depending on the version.

        Kevin

         
    • Walter Brock
      Walter Brock
      2005-01-19

      Hi Kevin,

      That sound great.  Actually, I don't think it's necessary to go all the way to autodection.  With the number of users such as myself using spp_portscan shrinking all the time a simple hand edited boolean value in the config file would more than sufficient.

      As always BASE ROCKS ! :-)

      Wally

       
    • Kevin Johnson
      Kevin Johnson
      2005-01-20

      That would work, we just try and stay away from conf values as for some reason they are harder to support.

      Kevin

       
    • JLO
      JLO
      2005-01-25

      Allright, thanks for all the info folks.  I broke down and compiled snort 2.3.0RC2.  The old, obsolete spp_portscan still does a few things better that the others don't but I'm running the sfportscan preprocessor now in addition which seems to work pretty well and its alerts do show up in the portscan section.  To be particularly honest, I didn't have a clue where to begin looking in the database to see if Snort was actually logging the stuff.  I'm glad to know that it wasn't my installation....I've noticed I don't get SPADE alerts through BASE either.  Is this more of the same?

       
      • Kevin Johnson
        Kevin Johnson
        2005-01-25

        Hi-

        We agree that the old way needs to be supported.  We are working on a patch for the next version which will support both.
        I personally dont run SPADE so I can't answer that part of the question.  Sorry.

        Kevin

         
    • JLO
      JLO
      2005-01-25

      Oh yeah, BTW, I do intend on still using the spp_portscan preprocessor...so I would love a patch to fix this.  I don't mind doing it by hand if it isn't too much editing.  Thanks ever-so-much.
      tnangela-at-bellsouth.net